Hacking Multifactor Authentication

Read more

Protect your organization from scandalously easy-to-hack MFA security "solutions"
 
Multi-Factor Authentication (MFA) is spreading like wildfire across digital environments. However, hundreds of millions of dollars have been stolen from MFA-protected online accounts. How? Most people who use multifactor authentication (MFA) have been told that it is far less hackable than other types of authentication, or even that it is unhackable. You might be shocked to learn that all MFA solutions are actually easy to hack. That's right: there is no perfectly safe MFA solution. In fact, most can be hacked at least five different ways. Hacking Multifactor Authentication will show you how MFA works behind the scenes and how poorly linked multi-step authentication steps allows MFA to be hacked and compromised.
 
This book covers over two dozen ways that various MFA solutions can be hacked, including the methods (and defenses) common to all MFA solutions. You'll learn about the various types of MFA solutions, their strengthens and weaknesses, and how to pick the best, most defensible MFA solution for your (or your customers') needs. Finally, this book reveals a simple method for quickly evaluating your existing MFA solutions. If using or developing a secure MFA solution is important to you, you need this book.
* Learn how different types of multifactor authentication work behind the scenes
* See how easy it is to hack MFA security solutions--no matter how secure they seem
* Identify the strengths and weaknesses in your (or your customers') existing MFA security and how to mitigate
Author Roger Grimes is an internationally known security expert whose work on hacking MFA has generated significant buzz in the security world. Read this book to learn what decisions and preparations your organization needs to take to prevent losses from MFA hacking.

List of contents

Introduction xxv
 
Who This Book is For xxvii
 
What is Covered in This Book? xxvii
 
MFA is Good xxx
 
How to Contact Wiley or the Author xxxi
 
Part I Introduction 1
 
1 Logon Problems 3
 
It's Bad Out There 3
 
The Problem with Passwords 5
 
Password Basics 9
 
Identity 9
 
The Password 10
 
Password Registration 11
 
Password Complexity 11
 
Password Storage 12
 
Password Authentication 13
 
Password Policies 15
 
Passwords Will Be with Us for a While 18
 
Password Problems and Attacks 18
 
Password Guessing 19
 
Password Hash Cracking 23
 
Password Stealing 27
 
Passwords in Plain View 28
 
Just Ask for It 29
 
Password Hacking Defenses 30
 
MFA Riding to the Rescue? 31
 
Summary 32
 
2 Authentication Basics 33
 
Authentication Life Cycle 34
 
Identity 35
 
Authentication 46
 
Authorization 54
 
Accounting/Auditing 54
 
Standards 56
 
Laws of Identity 56
 
Authentication Problems in the Real World 57
 
Summary 58
 
3 Types of Authentication 59
 
Personal Recognition 59
 
Knowledge-Based Authentication 60
 
Passwords 60
 
PINS 62
 
Solving Puzzles 64
 
Password Managers 69
 
Single Sign-Ons and Proxies 71
 
Cryptography 72
 
Encryption 73
 
Public Key Infrastructure 76
 
Hashing 79
 
Hardware Tokens 81
 
One-Time Password Devices 81
 
Physical Connection Devices 83
 
Wireless 87
 
Phone-Based 89
 
Voice Authentication 89
 
Phone Apps 89
 
SMS 92
 
Biometrics 92
 
FIDO 93
 
Federated Identities and APIs 94
 
OAuth 94
 
APIs 96
 
Contextual/Adaptive 96
 
Less Popular Methods 97
 
Voiceover Radio 97
 
Paper-Based 98
 
Summary 99
 
4 Usability vs Security 101
 
What Does Usability Mean? 101
 
We Don't Really Want the Best Security 103
 
Security Isn't Usually Binary 105
 
Too Secure 106
 
Seven-Factor MFA 106
 
Moving ATM Keypad Numbers 108
 
Not as Worried as You Think About Hacking 109
 
Unhackable Fallacy 110
 
Unbreakable Oracle 113
 
DJB 113
 
Unhackable Quantum Cryptography 114
 
We are Reactive Sheep 115
 
Security Theater r 116
 
Security by Obscurity 117
 
MFA Will Cause Slowdowns 117
 
MFA Will Cause Downtime 118
 
No MFA Solution Works Everywhere 118
 
Summary 119
 
Part II Hacking MFA 121
 
5 Hacking MFA in General 123
 
MFA Dependency Components 124
 
Enrollment 125
 
User 127
 
Devices/Hardware 127
 
Software 128
 
API 129
 
Authentication Factors 129
 
Authentication Secrets Store 129
 
Cryptography 130
 
Technology 130
 
Transmission/Network Channel 131
 
Namespace 131
 
Supporting Infrastructure 131
 
Relying Party 132
 
Federation/Proxies 132
 
Alternate Authentication Methods/Recovery 132
 
Migrations 133
 
Deprovision 133
 
MFA Component Conclusion 134
 
Main Hacking Methods 134
 
Technical Attacks 134
 
Human Element 135
 
Physical 137
 
Two or More Hacking Methods Used 137
 
"You Didn't Hack the M

About the author

ROGER A. GRIMES is a computer security professional and penetration tester with over three decades of experience. He's an internationally renowned consultant and was the IDG/InfoWorld/CSO magazine weekly columnist for fifteen years. He's a sought-after speaker who has given talks at major security industry events, including RSA, Black Hat, and TechMentor.

Summary

Protect your organization from scandalously easy-to-hack MFA security "solutions"

Multi-Factor Authentication (MFA) is spreading like wildfire across digital environments. However, hundreds of millions of dollars have been stolen from MFA-protected online accounts. How? Most people who use multifactor authentication (MFA) have been told that it is far less hackable than other types of authentication, or even that it is unhackable. You might be shocked to learn that all MFA solutions are actually easy to hack. That's right: there is no perfectly safe MFA solution. In fact, most can be hacked at least five different ways. Hacking Multifactor Authentication will show you how MFA works behind the scenes and how poorly linked multi-step authentication steps allows MFA to be hacked and compromised.

This book covers over two dozen ways that various MFA solutions can be hacked, including the methods (and defenses) common to all MFA solutions. You'll learn about the various types of MFA solutions, their strengthens and weaknesses, and how to pick the best, most defensible MFA solution for your (or your customers') needs. Finally, this book reveals a simple method for quickly evaluating your existing MFA solutions. If using or developing a secure MFA solution is important to you, you need this book.
* Learn how different types of multifactor authentication work behind the scenes
* See how easy it is to hack MFA security solutions--no matter how secure they seem
* Identify the strengths and weaknesses in your (or your customers') existing MFA security and how to mitigate
Author Roger Grimes is an internationally known security expert whose work on hacking MFA has generated significant buzz in the security world. Read this book to learn what decisions and preparations your organization needs to take to prevent losses from MFA hacking.